If you are a developer and you want to sign your code prepare to open your wallet wide and pay….a lot! Even 500 GBP per annum.
If you are making a profit with your software that could be totally acceptable but if you develop just Open Source programs and utilities, like me, you may find it prohibitive.
What are the advantages?
Signing your code adds metadata to your binary (it’s even possible to sign PowerShell scripts) that assures that:
- The identity of the person or entity that signed it is real because the Certification Authority made efforts to determine the veridicality of it.
- The binary hasn’t been modified: every modification of the binary, even a single bit, invalidates the signature.
- Optionally the date and time of the signing operation can be determined with certainty.
Last but not least adds credibility to your software production: the users of your software know that you made it, the binary hasn’t maliciously tampered, and your identity is real.
Starting from Windows 8, Microsoft implemented a functionality called SmartScreen that warns when you download a binary that is ‘untrusted’. If you sign your code with an EV Code Signing certificate, you can bypass that warning.
How can you obtain a certificate?
You can even create your certificate using OpenSSL or your own private PKI solution. Still, the problem is that your certification authority is not recognised on the market and so the root certificate of it is not installed by default in the OS, and so you’re back to square one.
You need to buy the certificate from a recognised Certification Authority.
Which kind of certificate do you need?
You need a Code Signing certificate and normally they come in two flavours:
- Standard Code Sign
- EV (Enhanced Verification) Code Sign
The difference is in the level of checks that the emitter performs to assure your identity, and this is reflected in the price as well.
One good advantage of the EV ones is that your software bypasses the Windows SmartScreen pop-up warnings enhancing your trustability.
The cost of the certificate is between 300 and 500 Pounds per annum.
I’m not rich, what can I do?
After searching a lot for a cheap but trustable solution, I found a company called CERTUM (an Asseco company) based in Poland that offers a special and affordable price for Code Signing certificates specifically tailored for Open Source projects
The cost is 25€ + VAT for the ‘physical‘ certificate and 49€ + VAT for the Cloud solution. I went for the physical solution.
If you go for the ‘physical’ certificate you need to spend, the first time only, 69€ + VAT for the certificate, reader and smart card plus 35€ + VAT for the shipping charges (DHL).
To be able to get this certificate there are some requirements to satisfy:
- It is just for a physical person, not for companies.
- You need to have a valid and verifiable email address.
- You need to prove that you are an active developer in at least one Open Source project (for example you can give them your GitHub URL.)
- You need to provide a copy of your government-issued id (passport, driving license, etc.) and a proof of address (such as a utility bill.)
What do you receive?
After placing your order and paying you will receive in some days a box with the smart card reader and the card: in my case, it was a single USB stick with the smartcard embedded in it.
Inside the sealed box, you find a simple instruction leaflet: I know…you’re so tempted to follow the instructions….please BRACE…RESIST!!! (and continue reading my article.)
Even before plugging the USB stick in your PC, you need to download the software.
The one that I found on the USB stick was dated 2017: the main installer in the root of the drive was not installing anything. Digging in the drive, I found the real installer for the proCertum Card Manager, but during the installation process, it informed me that it was corrupted!
Fortunately, you can find a better and updated version on their website: https://certum.eu/certum/cert,offer_software_and_libraries.xml#
The software you need is the proCertum CardManager.
After installing it, you can plug the USB stick: make sure that your computer can browse the Internet because Windows likes to download some drivers during the process.
Wait until all the drivers are recognised and installed and then follow carefully the instructions you find here: https://www.certum.eu/en/data/Instruction-of-activation-and-installation-of-Code-Signing-Certificate-EN.pdf
The explanations are a bit clumsy, and they refer to the previous version of the software, so some points are not totally clear.
When you reach the “Installation of Certificate” phase make a break and install, if you do not have it already, the JRE (Java Runtime Environment).
On my Windows 7 64 bit I installed the latest I found, x64 version.
I’d recommend using Chrome as a browser to perform the steps described in section 4 “Installation of Certificate“.
During this phase, you will download a JNLP file: to be honest in 25 years of IT career I never come across this kind of files: it is a Java Web Start application. You need to execute it and keep it running for all the certificate installation phase.
If everything goes smoothly you can take a break. before to be able to proceed to the next phase you need to provide them with the proofs of eligibility (government-issued id, a utility bill and proof of being the author of an Open source project). I sent all the required documents at firstname.lastname@example.org
The response time was pretty quick, they just asked to put visible my name on my GitHub profile and then they issued the certificate.
When CERTUM gives you the ”green light‘‘ it’s the time to install the certificate on the USB stick: you can proceed with the phase 5 “Storing the certificate on the card“
Follow the instruction carefully! At the end of the procedure, they mention a phantasmatic button called “Register Certificates“: it does not exist.
Do not worry! It’s not so bad: just press the button “Show Certificate Details” and then press the button “Install Certificate.“
At the end of the process I’d recommend to unplug the USB stick, wait a minute and plug it again.
You’re ready now to sign your files! For Windows, you will need a tool called signtool.exe that you can find in the Windows 10 SDK (you can install it even on Windows 7)
SignTool.exe crash course (for Windows)
I’d recommend, to simplify your life, to append the path of the Windows 10 SDK to your PATH environment variable.
You need to determine the name of your certificate: usually, it contains your email address and the word Open Source.
You need just a partial match to identify it so Open should be sufficient but depends on how many certificates you have installed on the OS and their names.
To sign an executable:
signtool sign /debug /n Open /t http://time.certum.pl/ /fd sha256 /v myExe.exe
To verify the signature:
signtool verify /pa myExe.exe
You can find more information about signtool here.
Certum by Asseco is the only company that I was able to find, at the time of this article, that provides a code signing certificate solution specifically designed for Open Source developers.
The price is reasonable and the level of assurance is good because the certificate is contained in a physical smart card.
The Out of The Box experience is a bit clumsy; the instruction leaflet encourages to plug the USB device and execute a Setup that, in my case, did nothing and the software contained was throwing ”corrupted” errors during installation.
Anyway, after downloading the newest version of their software, the things went better.
I personally found the documentation a bit approximative, outdated, and a bit confusing. Some parts were partial screenshot of their website in Polish, and the explanations need some improvements.
Anyway, in the end, all worked fine.
The ‘certificate validation’ service and the help desk are kind and generally, their response time is quick.
My final conclusion is that is a good value for money product with a quick helpdesk so, I feel to recommend this service.
(Very) Important Disclaimer
My review is independent and unbiased.
I was not paid from anyone to write it and I do not get any advantage of recommending a product instead of another one.
I bought the certificate with my own money. I’m not writing this article because I obtained it for free or for other forms of hidden revenue.
Happy signing 🙂